CN113468555A - Method, system and device for identifying client access behavior - Google Patents
Method, system and device for identifying client access behavior Download PDFInfo
- Publication number
- CN113468555A CN113468555A CN202110629454.5A CN202110629454A CN113468555A CN 113468555 A CN113468555 A CN 113468555A CN 202110629454 A CN202110629454 A CN 202110629454A CN 113468555 A CN113468555 A CN 113468555A
- Authority
- CN
- China
- Prior art keywords
- class
- client access
- model
- classification model
- access behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2411—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/243—Classification techniques relating to the number of classes
- G06F18/24323—Tree-organised classifiers
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Bioinformatics & Computational Biology (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Automation & Control Theory (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a method, a system and a device for identifying client access behaviors, wherein the system comprises a horizontal classification model and a hierarchical classification model; inputting data of the client access behaviors into a horizontal classification model to obtain large class feature vectors, wherein the horizontal classification model is used for identifying the large class of the client access behaviors according to the large class feature vectors; inputting major characteristic vectors of major classes of a plurality of classes of samples into a hierarchical classification model to obtain minor class characteristic vectors, wherein the hierarchical classification model is used for identifying minor classes of client access behaviors according to the minor class characteristic vectors; the major class includes a majority class sample major class and a minority class sample major class, and the type includes a minor class and a minority class sample major class. The invention integrates various machine learning methods, and can realize better identification of the client access behavior on the premise of saving the cost of manually constructing, updating and maintaining the rule base.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a method, a system and a device for identifying client access behaviors.
Background
The firewall is the first line of defense for information security. With the rapid update of network technologies, new hacker technologies are also emerging, which brings challenges to traditional rule firewalls. The traditional intrusion detection technology intercepts intrusion access through a maintenance rule set, and has the technical defects that: on one hand, hard rules are easy to bypass, and a rule set based on past knowledge is difficult to deal with 0day attacks; on the other hand, the water resistance and the water rise height of the attack and defense, the construction and the maintenance of the defense rule have high threshold and high cost.
The new generation of web intrusion detection technology based on the machine learning technology is expected to make up the defects of the traditional rule set method, and brings new development and breakthrough for the defense end of the web countermeasure. However, machine learning also presents challenges for web intrusion detection, the most difficult of which is the lack of tag data. Despite the large amount of normal access traffic data, web intrusion samples are rare and diverse, causing difficulties in model learning and training. Therefore, most of the web intrusion detection is based on an unsupervised method at present, a large number of normal logs are modeled, and if the logs do not conform to normal traffic, the logs are identified as abnormal logs
Disclosure of Invention
The invention provides a method, a system and a device for identifying client access behaviors to solve the problems, integrates various machine learning methods, and can realize better identification of the client access behaviors on the premise of saving the cost of manually constructing, updating and maintaining a rule base.
In order to achieve the purpose, the invention adopts the technical scheme that:
a client access behavior recognition system comprises a horizontal classification model and a hierarchical classification model; inputting data of the client access behaviors into the horizontal classification model to obtain large class feature vectors, wherein the horizontal classification model is used for identifying the large class of the client access behaviors according to the large class feature vectors; inputting the major characteristic vectors of the major sample classes into the hierarchical classification model to obtain minor characteristic vectors, wherein the hierarchical classification model is used for identifying minor classes of client access behaviors of the major sample classes according to the minor characteristic vectors; the major class includes the majority class sample major class and a minority class sample major class, and the type includes the minor class and the minority class sample major class.
Preferably, the system further includes a new type recognition model, the small class feature vector or the large class feature vector of the small class sample large class is input into the new type recognition model, and the new type recognition model is used for detecting whether the type of the client access behavior is abnormal or not.
Preferably, the horizontal classification model is an XGBOSt model or a lightGBM model, the hierarchical classification model is the XGBOSt model or the lightGBM model, and the new type identification model is an One Class SVM model or an isolated forest model.
Preferably, the method for constructing the system comprises the following steps: collecting data of client access behaviors, and labeling labels on the data of the client access behaviors to obtain training data, wherein the labels comprise the labels of the major classes and the labels of the minor classes; model parameters of the horizontal classification model, the hierarchical classification model, and the new type recognition model are optimized using the training data, respectively.
Preferably, a grid search cross validation method is adopted to optimize the model parameters of the horizontal classification model.
Preferably, accuracy, macro precision and macro recall are used as evaluation indexes of the horizontal classification model.
Preferably, the hierarchical classification model is constructed by optimizing model parameters of the hierarchical classification model by using a cost-sensitive learning method.
Preferably, the new type recognition model corresponds to the types one to one, the construction of the new type recognition model uses the training data except the corresponding types as a training set, and the corresponding training data of the types as a test set.
Based on the same inventive concept, the invention also provides a client access behavior identification method, which comprises the following steps: identifying a large class of the client access behavior according to data of the client access behavior, wherein the large class comprises a majority sample large class and a minority sample large class; identifying the subclass of the client access behaviors of the majority sample large class according to the data of the client access behaviors of the majority sample large class; outputting a type of the client access behavior, the type including the minor class and the minor class sample major class.
Based on the same inventive concept, the invention also provides a client access behavior recognition device, which comprises: the data collection module is used for collecting data of the client access behavior; the identification module is loaded with the system and used for identifying the data of the client access behavior and outputting an identification result.
The invention has the beneficial effects that:
1. the horizontal classification model divides the client access behaviors into a plurality of major classes, and the hierarchical classification model subdivides the minor classes in each major class, so that the open set classification can be conveniently and rapidly realized, and the known client access types can be distinguished;
2. the new type identification model can identify new attack behaviors which do not belong to the known type;
3. cost-sensitive weighting is carried out among the subclasses with larger misclassification loss, so that the probability that the high-risk class is misclassified into the low-risk class can be reduced;
4. a new type recognition model is respectively established for each known type, training data except the corresponding type is used as a training set, and the training data of the type is used as a test set, so that the effect of recognizing a novel attack behavior by the model can be improved.
Drawings
FIG. 1 is a schematic flow chart of a method for classifying client access behavior;
FIG. 2 is a schematic illustration of types of client access behaviors;
FIG. 3 is a schematic diagram of a new type recognition model.
Detailed Description
In order to make the technical problems, technical solutions and advantageous effects to be solved by the present invention clearer and more obvious, the present invention is further described in detail with reference to specific embodiments below. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Example one
The invention provides a client access behavior recognition technology based on fusion of multiple machine learning algorithms, and aims to solve the problems that network attack recognition based on hard rule matching in traditional network security protection is low in efficiency, high in updating and maintaining threshold of a rule base and high in cost and the like in the face of high-level threats possibly missed in report. Different from the traditional security thought of building high walls widely, the method focuses on the identification of network attack behaviors, and compared with a trapping firewall, the method is much harder for hackers to attack by imitating the online behavior mode of a user. The behavior characteristics of the visitors are extracted from a large amount of original data, the model is trained and optimized, and the established system can judge the risk of the access behavior of the user according to the security log data, namely whether the network attack threat exists or not, and timely sends an alarm to prompt a security administrator to pay attention to the relevant attack behavior, so that a protection means is pertinently adopted. The new access behavior identification mode does not need the user to spend more time or energy to carry out short message or graphic verification, and the inconvenience in operation experience can not be generated, and what the user needs to do is 'normal performance'. The invention aims to realize efficient client access behavior identification and automatically give an alarm on an attack behavior on the premise of saving cost and improving user experience as much as possible.
According to different business requirements, the invention respectively constructs a horizontal classification model to achieve the highest classification accuracy and a cost-sensitive hierarchical classification model to reduce the probability that the high-risk class is wrongly classified into the low-risk class.
In addition, there may be many types of client access behaviors, which cannot be covered by the limited types marked in the sample of the original data, and at this time, an access behavior that does not belong to any one of the known tags is classified into one of the types according to the similarity after being identified by the two models. The invention hopes to identify the client access behaviors as a novel attack behavior to deal with, so a novel type identification model is also provided.
Example one
The embodiment provides a client access behavior recognition system, which is used for recognizing types of client access behaviors, and comprises a horizontal classification model, a hierarchical classification model and a new type recognition model.
The construction of the system described in this embodiment includes the following steps:
1) a training data set is obtained. The method comprises the steps of firstly, acquiring data from reliable sources by collecting user access logs, penetration test access logs, self-simulation and other modes, labeling the data, and marking the type of a corresponding client access behavior as training data.
The label provided by the invention contains a hierarchical structure relationship, and referring to the attached figure 1, the first layer is divided into four major categories, including machine access (robot), user access (normal), internet bank assistant (assistant) and public network monitor (monitor). The training data set has the problem of data imbalance in the division of major classes, data of machine access behaviors and user access behaviors are majority samples, corresponding major classes are majority sample major classes, and an internet banking assistant (assistant) and a public network monitor (monitor) are minority samples. The second layer further subdivides the major classes of the majority of classes of samples into different subclasses, which correspond to different risk levels.
Referring to fig. 2, the system partition types described in this embodiment include 9 minor classes and a few major classes.
And then, counting the access behavior characteristics of a single ip in each piece of data within one hour, such as the number of requests, the number of url types, the number of request method types, the number of http response state code types and the like.
2) And training a horizontal classification model. In this embodiment, when constructing the horizontal classification model and the hierarchical classification model, the method is performed according to 3: 1, dividing a training data set into a training set and a test set, training a model by using the training set, and verifying the classification accuracy of the model by using the test set. Therefore, the sufficient sample adding training can be ensured, and the sample for verification can output a more accurate result.
Referring to FIG. 1, the horizontal classification model predicts leaf node classes using only a single classifier, regardless of the hierarchical relationship between classes. In this embodiment, a plurality of classifiers such as logistic, SVM, random forest, XGboost, lightGBM are compared, and finally, lightGBM is selected to train a multi-classification model. LightGBM adopts a boosting integration method, is an efficient implementation framework for GBDT as XGboost, and has the main idea that iterative training is carried out by using a weak classifier (decision tree) to obtain an optimal model. The lightGBM supports efficient parallel training, has the advantages of higher training speed, lower memory consumption, better accuracy, capability of rapidly processing mass data and the like compared with GBDT, and is more excellent than XGboost in performance in many aspects.
The horizontal classification model described in this embodiment finds the optimal parameters by using a grid search cross validation method. The grid search cross validation method is a method combining a grid search method and a cross validation method. The grid search method is a method of optimizing the model representation by traversing a given set of parameters. In the grid search method, the original data is divided into 3 parts, which are respectively: training set, validation set and test set. The training set is used for model training, the verification set is used for adjusting parameters, and the test set is used for measuring the performance of the model. Therefore, the performance of the final model is greatly related to the partitioning result of the original data, and in order to deal with the situation, a cross-validation method is adopted to reduce the contingency.
3) And training a hierarchical classification model. Referring to FIG. 1, the hierarchical classification model considers the hierarchical relationships between classes. The hierarchical classification model described in this embodiment also adopts a lightGBM classifier, and subclasses are respectively subdivided in two major classes, user access and machine access. Because high-risk access (attack) in machine access behaviors is frequently wrongly classified into low-risk access (bot), a cost sensitive matrix is introduced to carry out weighting in a training stage of a hierarchical classification model for machine access large-class classification, higher wrongly-classified low-risk access is given to the high-risk access, and iterative training is carried out until the overall error classification loss approaches to the minimum, so that the probability that the constructed model wrongly classifies the high-risk access into the low-risk access is reduced, and specific matrix parameters are shown in table 1. A hierarchical classification model for user access to broad classes may be trained without using a cost sensitive matrix.
TABLE 1 machine Access to broad classes of cost sensitive matrices
4) And training a new type recognition model. Referring to FIG. 3, a new type recognition model is created for each known type in the training dataset. In this embodiment, the new type recognition model is selected from One class SVM or isolated forest. The One class SVM is a support vector machine model for modeling single-class samples, and the origin is assumed to be a unique abnormal point, and a hyperplane is sought to separate a target class sample from the origin at the maximum interval. The isolated forest is an anomaly detection method based on a tree model, a decision tree is randomly constructed, statistics is constructed by using the average value of the depths of all the trees of samples, and anomaly judgment is carried out.
The classification accuracy of the model is obtained by comparing the prediction result with the labeled label, and for the new type identification model of each type, the training data except the type is used as a training set, the training data of the type is used as a test set, namely, the type is used as an unknown type during training, the training data of the type is not put in for training, and the training data of the type is used as a novel attack during testing to verify the abnormal detection effect of the model. And comparing the abnormal detection effects of the One class SVM and the isolated forest, wherein each type is preferably used as a new type identification model.
If a sample is classified into a certain type by the lightGBM classifier, but is detected as abnormal by a new type identification model of the type, the sample is determined to be an unknown new type, otherwise, the sample belongs to the type.
5) And (6) evaluating the model. The evaluation results of the model were averaged over 50 times of model verification.
And for the horizontal classification model, the accuracy, the macro precision and the macro recall are selected as evaluation indexes. Under the condition of binary classification, the precision ratio is measured to be the condition that a normal user is killed by mistake, and the recall ratio is measured to be the condition that an attack behavior is killed by omission. The macro precision and the macro recall are measured by considering each category in the multi-category problem. The accuracy of the horizontal classification model in the embodiment reaches 93.06%, and the macro precision and the macro recall ratio reach 93.04% and 91.05% respectively, which are basically equivalent to the effect of manual classification.
And evaluating the hierarchical classification model sensitive to the cost by adopting the fault loss. The accuracy of the hierarchical classification model is 76.51%, and the overall fault loss is reduced from 218.845 (without weighting) to 202.225.
For each new type identification model of each type, the training data of the type is used as an unknown type during testing to verify the effect of the model for identifying the new attack behavior, and the evaluation result is shown in table 2.
TABLE 2 evaluation results of the New type recognition model
5) And (4) running on the line. The system of the embodiment is built by using the three models built above, and an online module is deployed to perform real-time client access behavior recognition.
The system described in this embodiment extends around three functions: horizontal classification, hierarchical classification, and identification of new types. The horizontal classification can identify various intrusion access behaviors with high accuracy, the cost-sensitive hierarchical classification uses a cost-sensitive matrix for weighting to obtain the minimum fault-classification loss, and the probability that a high-risk class is mistakenly classified into a low-risk class can be reduced. Most current classification models can only realize closed set classification, distinguish determined classes in a training set, and cannot identify unknown classes which are not in the training set. The system described in this embodiment combines a lightGBM multi-classification model, an onelastsvm, and an isolated forest anomaly detection model, and can conveniently and rapidly implement diversity classification, and not only can well distinguish the types of client access behaviors that have been marked in a training data set, but also can identify novel attack behaviors that do not belong to these known types.
The system described in this embodiment can be applied to a banking system, and is used for identifying the access behavior of the client.
Most of the current web intrusion detection technologies are based on an unsupervised method, a model is built according to a large number of normal logs, and if the model does not conform to normal traffic, the model is identified as abnormal. The system described in this embodiment utilizes the original log to count the characteristic data of the client access behavior, and combines various supervised and unsupervised learning methods to perform automatic learning and training, thereby achieving the purpose of identifying the client access behavior.
Compared with the traditional method of intercepting intrusion access by maintaining a rule set in a security protection strategy, the system of the embodiment saves the cost of constructing and maintaining a defense rule base, solves the problem that the traditional hard rule is easy to be bypassed by a flexible hacker, has higher capacity of identifying intrusion behaviors, and can adapt to different business requirements.
Example two
The embodiment provides a method for identifying a client access behavior used by a system in the first embodiment, which includes the following steps:
s1, inputting data of the client access behaviors into a horizontal classification model to obtain large class feature vectors, and identifying the large class of the client access behaviors by the horizontal classification model according to the large class feature vectors. Wherein the large class comprises a majority class sample large class and a minority class sample large class.
And S2, inputting the major characteristic vectors of the major sample classes into a hierarchical classification model to subdivide the subclasses to obtain the subclass characteristic vectors, and identifying the subclasses of the client access behaviors of the major sample classes by the hierarchical classification model according to the subclass characteristic vectors. The minor class and the minor class sample major class constitute types of client access behavior.
And S3, inputting the subclass feature vectors into a new type identification model, and detecting whether the type of the access behavior of the client is abnormal or not. If the type is normal, the type is output, if the type is abnormal, the access behavior of the client is output as a novel attack behavior, and an alarm is given.
Those skilled in the art will understand that all or part of the steps in the above embodiments of the data identification method may be implemented by a program, where the program is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
EXAMPLE III
The embodiment provides a client access behavior recognition apparatus, including:
and the data collection module is used for collecting the data of the client access behaviors and transmitting the data to the identification module to identify the types of the client access behaviors.
And the identification module is loaded with the system in the first embodiment, and identifies the data of the access behavior of the client by adopting the method in the second embodiment and outputs an identification result.
While the above description shows and describes the preferred embodiments of the present invention, it is to be understood that the invention is not limited to the forms disclosed herein, but is not to be construed as excluding other embodiments and is capable of use in various other combinations, modifications, and environments and is capable of changes within the scope of the inventive concept as expressed herein, commensurate with the above teachings, or the skill or knowledge of the relevant art. And that modifications and variations may be effected by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (10)
1. A client access behavior recognition system is characterized by comprising a horizontal classification model and a hierarchical classification model;
inputting data of the client access behaviors into the horizontal classification model to obtain large class feature vectors, wherein the horizontal classification model is used for identifying the large class of the client access behaviors according to the large class feature vectors;
inputting the major characteristic vectors of the major sample classes into the hierarchical classification model to obtain minor characteristic vectors, wherein the hierarchical classification model is used for identifying minor classes of client access behaviors of the major sample classes according to the minor characteristic vectors;
the major class includes the majority class sample major class and a minority class sample major class, and the type includes the minor class and the minority class sample major class.
2. The client access behavior recognition system of claim 1, further comprising a new type recognition model, wherein the small class feature vector or the large class feature vector of the small class sample large class is input into the new type recognition model, and the new type recognition model is used for detecting whether the type of the client access behavior is abnormal.
3. The client access behavior recognition system of claim 2, wherein the horizontal classification model is an XGboost model or a lightGBM model, the hierarchical classification model is an XGboost model or a lightGBM model, and the new type recognition model is a One Class SVM model or an orphan forest model.
4. The client access behavior recognition system of claim 2, wherein the system is constructed by the method comprising the steps of:
collecting data of client access behaviors, and labeling labels on the data of the client access behaviors to obtain training data, wherein the labels comprise the labels of the major classes and the labels of the minor classes;
model parameters of the horizontal classification model, the hierarchical classification model, and the new type recognition model are optimized using the training data, respectively.
5. The client access behavior recognition system of claim 4, wherein model parameters of the horizontal classification model are optimized using a grid search cross validation method.
6. The client access behavior recognition system of claim 4, wherein accuracy, macro precision, and macro recall are employed as evaluation indicators of the horizontal classification model.
7. The client access behavior recognition system of claim 4, wherein the hierarchical classification model is constructed by optimizing model parameters of the hierarchical classification model using a cost-sensitive learning method.
8. The client access behavior recognition system of claim 4, wherein the new type recognition models are in one-to-one correspondence with the types, and wherein the new type recognition models are constructed using the training data other than the corresponding types as a training set and the corresponding training data of the types as a test set.
9. A client access behavior recognition method is characterized by comprising the following steps:
identifying a large class of the client access behavior according to data of the client access behavior, wherein the large class comprises a majority sample large class and a minority sample large class;
identifying the subclass of the client access behaviors of the majority sample large class according to the data of the client access behaviors of the majority sample large class;
outputting a type of the client access behavior, the type including the minor class and the minor class sample major class.
10. An apparatus for identifying client access behavior, comprising:
the data collection module is used for collecting data of the client access behavior;
the system comprises an identification module loaded with the system as claimed in any one of claims 1 to 8, wherein the identification module is used for identifying the data of the client access behavior and outputting an identification result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110629454.5A CN113468555A (en) | 2021-06-07 | 2021-06-07 | Method, system and device for identifying client access behavior |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110629454.5A CN113468555A (en) | 2021-06-07 | 2021-06-07 | Method, system and device for identifying client access behavior |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113468555A true CN113468555A (en) | 2021-10-01 |
Family
ID=77872309
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110629454.5A Pending CN113468555A (en) | 2021-06-07 | 2021-06-07 | Method, system and device for identifying client access behavior |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113468555A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115600194A (en) * | 2022-11-08 | 2023-01-13 | 广东技术师范大学(Cn) | Intrusion detection method, storage medium and device based on XGboost and LGBM |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101266603A (en) * | 2007-03-12 | 2008-09-17 | 北京搜狗科技发展有限公司 | Webpage information sorting method, system and service system applying the classification |
| CN107305640A (en) * | 2016-04-25 | 2017-10-31 | 中国科学院声学研究所 | A kind of method of unbalanced data classification |
| CN110009040A (en) * | 2019-04-08 | 2019-07-12 | 浙江工业大学 | A kind of classification method towards uneven finance data |
-
2021
- 2021-06-07 CN CN202110629454.5A patent/CN113468555A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101266603A (en) * | 2007-03-12 | 2008-09-17 | 北京搜狗科技发展有限公司 | Webpage information sorting method, system and service system applying the classification |
| CN107305640A (en) * | 2016-04-25 | 2017-10-31 | 中国科学院声学研究所 | A kind of method of unbalanced data classification |
| CN110009040A (en) * | 2019-04-08 | 2019-07-12 | 浙江工业大学 | A kind of classification method towards uneven finance data |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115600194A (en) * | 2022-11-08 | 2023-01-13 | 广东技术师范大学(Cn) | Intrusion detection method, storage medium and device based on XGboost and LGBM |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Tesfahun et al. | Intrusion detection using random forests classifier with SMOTE and feature reduction | |
| CN106778268A (en) | Malicious code detecting method and system | |
| KR20130126814A (en) | Traffic flooding attack detection and in-depth analysis devices and method using data mining | |
| CN111259219B (en) | Malicious webpage identification model establishment method, malicious webpage identification method and malicious webpage identification system | |
| CN114124482B (en) | Access flow anomaly detection method and equipment based on LOF and isolated forest | |
| Sarwar et al. | Design of an advance intrusion detection system for IoT networks | |
| Anil et al. | A hybrid method based on genetic algorithm, self-organised feature map, and support vector machine for better network anomaly detection | |
| CN117081858B (en) | Intrusion behavior detection method, system, equipment and medium based on multi-decision tree | |
| Esposito et al. | Evaluating pattern recognition techniques in intrusion detection systems | |
| Wang et al. | APT attack detection algorithm based on spatio-temporal association analysis in industrial network | |
| CN114581694A (en) | Network security situation assessment method based on improved support vector machine | |
| Nalavade et al. | Evaluation of k-means clustering for effective intrusion detection and prevention in massive network traffic data | |
| CN113468555A (en) | Method, system and device for identifying client access behavior | |
| CN114024761A (en) | Network threat data detection method and device, storage medium and electronic equipment | |
| CN110365625A (en) | Internet of Things safety detection method, device and storage medium | |
| Yao et al. | A two-layer soft-voting ensemble learning model for network intrusion detection | |
| Farid et al. | Learning intrusion detection based on adaptive bayesian algorithm | |
| Puzanov et al. | Deep reinforcement one-shot learning for change point detection | |
| CN115545091A (en) | Integrated learner-based malicious program API (application program interface) calling sequence detection method | |
| Devaraju et al. | Performance comparison of intrusion detection system using various techniques–A review | |
| Jahromy et al. | A new method for detecting network intrusion by using a combination of genetic algorithm and support vector machine classifier | |
| CN111581640A (en) | Malicious software detection method, device and equipment and storage medium | |
| Yi et al. | Research on abnormal traffic classification of web camera based on supervised learning and semi—Supervised learning | |
| Al Amien et al. | Intrusion detection system for imbalance ratio class using weighted XGBoost classifier | |
| US20230095966A1 (en) | Intrusion detection method based on improved immune network algorithm, and application thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211001 |
|
| RJ01 | Rejection of invention patent application after publication |